NSF Middleware Initiative: GridShib Tom Barton University of Chicago
What is GridShib? NSF Middleware Initiative (NMI) Grant: “Policy Controlled Attribute Framework” Allow the use of Shibboleth-transported attributes for authorization in NMI Grids built on the Globus Toolkit v4 2 year project started December 1, 2004 Participants Von Welch, UIUC/NCSA (PI) Kate Keahey, UChicago/Argonne (PI) Frank Siebenlist, Argonne Tom Barton, UChicago
Why? Attribute-based authorization has shown itself to be useful in large grids with far-flung participants in several types of roles Identity-based approach scales poorly Shibboleth is well supported and becoming widely deployed SAML is used by larger identity federation world, not just Shibboleth. Integrating SAML support into Grids opens the door to leveraging this large technology space
GridShib Integration Principles No modification to typical grid client applications Modifications only to Grid Services and security clients (e.g. grid-proxy-init) Leverage shibboleth’s attribute marshaling capability and release policies Leverage strategic investment that campuses make in Identity Management operations
GridShib Progress Developers hired February 2005 Substantial resolution of GridShib’s Shibboleth usage profile Shibboleth IdP plugin nearing completion Maps externally-issued X.509 identity certificates to local identifiers SAML attribute marshaling in GT4 runtime nearing completion
GridShib Progress (cont’d) Common attribute format internal to GT4 runtime to support access policies spanning SAML and X.509 PMI attribute sources Uses XACML Request Context Initial GridShib release for closed alpha deployment Readiness by end of June Overlays GT 4.0 and Shib 1.3
Potential Early Adopters Focused efforts to understand and evaluate potential use of GridShib in: caBIG, Cancer Bioinformatics Grid UK eScience Grid LOOKING, Laboratory for the Ocean Observatory Knowledge Integration Grid University of Southern California University of Alabama at Birmingham SURAgrid
GridShib Challenges Identity Provider Discovery Compounded by need in some grids to consult several identity providers for each user Distributed Attribute Administration What happens when the folks running the attribute authority are not the ones authoritative for the attributes? Some projects don’t have resources to run a 7x24 security service, but are the only ones who know the attribute space Explore Signet, Grouper Mapping local subject identifier to externally issued EEC
Distributed Authorities Session authentication credential Attribute Authority Authorities Home Org Affiliated Org Grid user Signet, Grouper Virtual Org Grid Service
Project objectives Priority 1: Pull mode operation Globus services contact Shibboleth to obtain attributes about identified user Support both GT4.x Web Services and pre-WS code Priority 2: Push mode operation User obtains Shib attributes and push to service Allows role selection Priority 3: Online CAs Pseudonymous operation Integration with local authentication services
Timeline December 1, 2004: formal start February 1, 2005: Developers on board and coding Mid-Summer 2005: closed alpha release pull model with user identified Fall 2005: public releases Production pull model with user identified Beta push model with user identified Implementation of simple policy description language Targeting GT 4.1.x and Shibboleth 1.3 2006: Integration with online CAs